CVE-2025-71286 - Vulnerability Details

- ASoC: SOF: ipc4-topology: Correct the allocation size for bytes controls

Description

In the Linux kernel, the following vulnerability has been resolved:

ASoC: SOF: ipc4-topology: Correct the allocation size for bytes controls

The size of the data behind of scontrol->ipc_control_data for bytes
controls is:
[1] sizeof(struct sof_ipc4_control_data) + // kernel only struct
[2] sizeof(struct sof_abi_hdr)) + payload

The max_size specifies the size of [2] and it is coming from topology.

Change the function to take this into account and allocate adequate amount
of memory behind scontrol->ipc_control_data.

With the change we will allocate [1] amount more memory to be able to hold
the full size of data.

Published: 2026-05-06

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

In the Linux kernel, a mismatch in the calculated allocation size for bytes controls in the SOF IPC4 topology caused the data structure behind scontrol->ipc_control_data to be incorrectly sized. This error could lead to a heap-based buffer overflow or memory corruption when the kernel processes control data that exceeds the originally allocated space. The impact is the potential compromise of kernel memory integrity, which could, in turn, allow privilege escalation or denial of service.

Affected Systems

The vulnerability affects the Linux kernel, specifically when the SOF (Sound Open Firmware) IPC4 topology functionality is enabled. No specific kernel versions are listed, so all Linux kernels that include the affected code path may be impacted until the patch is applied.

Risk and Exploitability

The CVSS score is not provided, and the EPSS score is unavailable, so the inherent exploitation probability cannot be quantified from the CVE data. The vulnerability is not listed in the CISA KEV catalog. However, because the flaw involves a heap-based buffer overflow in kernel space, the potential for exploitation is considered high if an attacker can influence the data sent to the SOF IPC4 topology controls. No publicly documented exploit is referenced, but the lack of a mitigated status encourages preemptive patching.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`a382082ff74b036944cbc5b6ad29b65f633acd3a`	affected	< 59fe643f21b9d59bcbedb0dfbf988ee455c23736
`a382082ff74b036944cbc5b6ad29b65f633acd3a`	affected	< 491956b45b5f4933632ea6d8a8bdfdf045ab81e1
`a382082ff74b036944cbc5b6ad29b65f633acd3a`	affected	< a704a1a4394b5877b9adc31b2c3165ad0b541896
`a382082ff74b036944cbc5b6ad29b65f633acd3a`	affected	< 1237cd9ff198cb882402572f29569e5247190974
`a382082ff74b036944cbc5b6ad29b65f633acd3a`	affected	< a653820700b81c9e6f05ac23b7969ecec1a18e85

Linux

affected

Version	Status	Constraints
`6.4`	affected	—
`0`	unaffected	< 6.4
`6.6.128`	unaffected	≤ 6.6.*
`6.12.75`	unaffected	≤ 6.12.*
`6.18.16`	unaffected	≤ 6.18.*
`6.19.6`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[a382082ff74b036944cbc5b6ad29b65f633acd3a,59fe643f21b9d59bcbedb0dfbf988ee455c23736)`	affected	code_commit	—
`[a382082ff74b036944cbc5b6ad29b65f633acd3a,491956b45b5f4933632ea6d8a8bdfdf045ab81e1)`	affected	code_commit	—
`[a382082ff74b036944cbc5b6ad29b65f633acd3a,a704a1a4394b5877b9adc31b2c3165ad0b541896)`	affected	code_commit	—
`[a382082ff74b036944cbc5b6ad29b65f633acd3a,1237cd9ff198cb882402572f29569e5247190974)`	affected	code_commit	—
`[a382082ff74b036944cbc5b6ad29b65f633acd3a,a653820700b81c9e6f05ac23b7969ecec1a18e85)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.4`	affected	generic	—
`[0,6.4)`	unaffected	generic	—
`[6.6.128,7.0.0]`	unaffected	semver	—
`[6.12.75,7.0.0]`	unaffected	semver	—
`[6.18.16,7.0.0]`	unaffected	semver	—
`[6.19.6,7.0.0]`	unaffected	semver	—
`[0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that incorporates the SOF IPC4 topology allocation size fix, as released by kernel.org or your distribution’s security updates.
Ensure that any user-space applications or drivers that interact with SOF IPC controls are also updated to versions that reference the patched kernel logic.
If a kernel update cannot be applied immediately, consider disabling the affected IPC topology paths or restricting access to the controls, though no official temporary workaround is provided by the vendor.

Generated by OpenCVE AI on May 6, 2026 at 13:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/1237cd9ff198cb882402572f29569e5247190974
https://git.kernel.org/stable/c/491956b45b5f4933632ea6d8a8bdfdf045ab81e1
https://git.kernel.org/stable/c/59fe643f21b9d59bcbedb0dfbf988ee455c23736
https://git.kernel.org/stable/c/a653820700b81c9e6f05ac23b7969ecec1a18e85
https://git.kernel.org/stable/c/a704a1a4394b5877b9adc31b2c3165ad0b541896

History

Wed, 06 May 2026 13:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-122 CWE-125

Wed, 06 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: ipc4-topology: Correct the allocation size for bytes controls The size of the data behind of scontrol->ipc_control_data for bytes controls is: [1] sizeof(struct sof_ipc4_control_data) + // kernel only struct [2] sizeof(struct sof_abi_hdr)) + payload The max_size specifies the size of [2] and it is coming from topology. Change the function to take this into account and allocate adequate amount of memory behind scontrol->ipc_control_data. With the change we will allocate [1] amount more memory to be able to hold the full size of data.
Title		ASoC: SOF: ipc4-topology: Correct the allocation size for bytes controls
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/1237cd9ff198cb882402572f29569e5247190974 https://git.kernel.org/stable/c/491956b45b5f4933632ea6d8a8bdfdf045ab81e1 https://git.kernel.org/stable/c/59fe643f21b9d59bcbedb0dfbf988ee455c23736 https://git.kernel.org/stable/c/a653820700b81c9e6f05ac23b7969ecec1a18e85 https://git.kernel.org/stable/c/a704a1a4394b5877b9adc31b2c3165ad0b541896

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-06T11:32:19.468Z

Updated: 2026-05-06T11:32:19.468Z

Reserved: 2026-05-06T11:31:45.509Z

Link: CVE-2025-71286

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-06T12:16:27.737

Modified: 2026-05-06T13:07:51.607

Link: CVE-2025-71286

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-06T13:30:04Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object